Looks a little better (at least there is some result):

# /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss pslist --profile=Win2008R2SP1x64
Volatile Systems Volatility Framework 2.1_alpha
 Offset(V)  Name                 PID    PPID   Thds   Hnds   Time
---------- -------------------- ------ ------ ------ ------ -------------------
0xfffffa8003cb7040 System                    4      0    103 ------ 2012-04-12 07:14:16      


Not quite as good with rev 1977:

# /usr/local/src/volatility-read-only-1977/vol.py -f myimage.vmss pslist --profile=Win2008R2SP1x64
Volatile Systems Volatility Framework 2.1_alpha
Offset(V)          Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                Exit               
------------------ -------------------- ------ ------ ------ -------- ------ ------ -------------------- --------------------
0xfffffa8003cb7040 System                    4      0    103 -------- ------      0 2012-04-12 07:14:16                     
Traceback (most recent call last):
  File "/usr/local/src/volatility-read-only-1977/vol.py", line 185, in <module>
    main()
  File "/usr/local/src/volatility-read-only-1977/vol.py", line 176, in main
    command.execute()
  File "/usr/local/src/volatility-read-only-1977/volatility/commands.py", line 111, in execute
    func(outfd, data)
  File "/usr/local/src/volatility-read-only-1977/volatility/plugins/taskmods.py", line 154, in render_text
    str(task.CreateTime or ''),
  File "/usr/local/src/volatility-read-only-1977/volatility/plugins/overlays/windows/windows.py", line 278, in __nonzero__
    return self.v() != 0
  File "/usr/local/src/volatility-read-only-1977/volatility/plugins/overlays/windows/windows.py", line 275, in v
    return self.windows_to_unix_time(value)
  File "/usr/local/src/volatility-read-only-1977/volatility/plugins/overlays/windows/windows.py", line 262, in windows_to_unix_time
    unix_time = windows_time / 10000000
TypeError: unsupported operand type(s) for /: 'NoneObject' and 'int'

I'll work with folks to get them a copy of this VMSS...

The snapshot was made by pausing the machine, and then copying the vmss file out from the datastore. This was done on a VMware ESX 4.1.0, 502767 host. Let me know if I can provide any more info on it...

Cheers to all,

Jesse


On Fri, Jul 6, 2012 at 11:00 AM, nir izraeli <nirizr@gmail.com> wrote:
Jesse what you're showing looks like it should work just fine...
could you run a pslist (not psscan) and provide full output?

btw, AAron is looking for a file like yours (it has two regions instead of 0 which imply only a single region).
can you tell us how you've made the vmware snapshot and which product/versions you've used to make it?

thanks!


On Fri, Jul 6, 2012 at 5:56 PM, Jesse Bowling <jessebowling@gmail.com> wrote:
Trying imageinfo with a debug flag ends like this:

DEBUG   : volatility.utils    : Succeeded instantiating <volatility.plugins.addrspaces.standard.FileAddressSpace object at 0xb3752d0>

DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG   : volatility.plugins.addrspaces.vmware: Read region count from file: 2
DEBUG   : volatility.plugins.addrspaces.vmware: RegionCount: 2
DEBUG   : volatility.plugins.addrspaces.vmware: Virtual Address:          0, Physical Address:        0, Size: C0000000
Virtual Address:  100000000, Physical Address: C0000000, Size: 40000000
DEBUG   : volatility.plugins.addrspaces.vmware: dtb: 187000
DEBUG   : volatility.utils    : Succeeded instantiating <volatility.plugins.addrspaces.vmware.VMWareSnapshotFile object at 0xb3754d0>

DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.intel.JKIA32PagedMemory'>
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.legacyintel.IA32PagedMemoryPae'>
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.intel.JKIA32PagedMemoryPae'>
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.legacyintel.IA32PagedMemory'>
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
--Return--
> /usr/local/src/volatility-read-only-may-01/volatility/debug.py(88)b()->None
-> pdb.set_trace()
(Pdb)


Cheers,

Jesse


On Fri, Jul 6, 2012 at 10:52 AM, Jesse Bowling <jessebowling@gmail.com> wrote:
Ah, actually I see that that is no better... :(

First 1024:

# dd if=myimage.vmss bs=1 count=1024 | xxd
1024+0 records in
1024+0 records out
1024 bytes (1.0 kB) copied, 0.00110567 s, 926 kB/s
0000000: d2be d2be 0800 0000 5b00 0000 4368 6563  ........[...Chec
0000010: 6b70 6f69 6e74 0000 0000 0000 0000 0000  kpoint..........
0000020: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000030: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000040: 0000 0000 0000 0000 0000 0000 7c1c 0000  ............|...
0000050: 0000 0000 ab03 0000 0000 0000 6370 7500  ............cpu.
0000060: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000070: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000080: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000090: 0000 0000 0000 0000 0000 0000 2720 0000  ............' ..
00000a0: 0000 0000 cce1 0300 0000 0000 4275 734d  ............BusM
00000b0: 656d 5361 6d70 6c65 0000 0000 0000 0000  emSample........
00000c0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000d0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000e0: 0000 0000 0000 0000 0000 0000 f301 0400  ................
00000f0: 0000 0000 4f00 0000 0000 0000 4275 734d  ....O.......BusM
0000100: 656d 5365 7276 6963 6573 0000 0000 0000  emServices......
0000110: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000120: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000130: 0000 0000 0000 0000 0000 0000 4202 0400  ............B...
0000140: 0000 0000 1200 0000 0000 0000 5555 4944  ............UUID
0000150: 564d 5800 0000 0000 0000 0000 0000 0000  VMX.............
0000160: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000170: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000180: 0000 0000 0000 0000 0000 0000 5402 0400  ............T...
0000190: 0000 0000 2e00 0000 0000 0000 5374 6174  ............Stat
00001a0: 654c 6f67 6765 7200 0000 0000 0000 0000  eLogger.........
00001b0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00001c0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00001d0: 0000 0000 0000 0000 0000 0000 8202 0400  ................
00001e0: 0000 0000 0200 0000 0000 0000 6d65 6d6f  ............memo
00001f0: 7279 0000 0000 0000 0000 0000 0000 0000  ry..............
0000200: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000210: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000220: 0000 0000 0000 0000 0000 0000 8402 0400  ................
0000230: 0000 0000 7efd 0000 0100 0000 4d53 7461  ....~.......MSta
0000240: 7473 0000 0000 0000 0000 0000 0000 0000  ts..............
0000250: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000260: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000270: 0000 0000 0000 0000 0000 0000 0200 0500  ................
0000280: 0100 0000 3619 0000 0000 0000 536e 6170  ....6.......Snap
0000290: 7368 6f74 0000 0000 0000 0000 0000 0000  shot............
00002a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00002b0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00002c0: 0000 0000 0000 0000 0000 0000 3819 0500  ............8...
00002d0: 0100 0000 a971 0000 0000 0000 7069 6300  .....q......pic.
00002e0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00002f0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000300: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000310: 0000 0000 0000 0000 0000 0000 e18a 0500  ................
0000320: 0100 0000 0e07 0000 0000 0000 5469 6d65  ............Time
0000330: 5472 6163 6b65 7200 0000 0000 0000 0000  Tracker.........
0000340: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000350: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000360: 0000 0000 0000 0000 0000 0000 ef91 0500  ................
0000370: 0100 0000 9900 0000 0000 0000 466c 6f70  ............Flop
0000380: 7079 0000 0000 0000 0000 0000 0000 0000  py..............
0000390: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00003a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00003b0: 0000 0000 0000 0000 0000 0000 8892 0500  ................
00003c0: 0100 0000 8c91 0000 0000 0000 4775 6573  ............Gues
00003d0: 744d 7367 0000 0000 0000 0000 0000 0000  tMsg............
00003e0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00003f0: 0000 0000 0000 0000 0000 0000 0000 0000  ................



On Fri, Jul 6, 2012 at 10:50 AM, Jesse Bowling <jessebowling@gmail.com> wrote:
Seems better:

root@Forensic-1:/case2/4132012/biweb/mem# /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss psscan

Volatile Systems Volatility Framework 2.1_alpha
 Offset(P)  Name             PID    PPID   PDB        Time created             Time exited            
---------- ---------------- ------ ------ ---------- ------------------------ ------------------------
No suitable address space mapping found
Tried to open image as:
...

 VMWareSnapshotFile: ('Header signature invalid', 4026597203)
...





On Fri, Jul 6, 2012 at 10:29 AM, Jamie Levy <jamie.levy@gmail.com> wrote:
Try to place them in volatility/plugins/addrspaces/ instead and then
do a `make clean` before running



On Fri, Jul 6, 2012 at 10:03 AM, Jesse Bowling <jessebowling@gmail.com> wrote:
> Disclaimer:
>
> So I took Nir's files, and dropped them into my plugins folder...I did not
> see any new plugins using vol.py -h, and when I tried to do an imageinfo I
> got:
>
> /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss imageinfo
>
> Volatile Systems Volatility Framework 2.1_alpha
> Determining profile based on KDBG search...
>
> Traceback (most recent call last):
>   File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173, in
> <module>
>     main()
>   File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164, in
> main
>     command.execute()
>   File "/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
> line 101, in execute
>     func(outfd, data)
>   File
> "/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
> line 34, in render_text
>     for k, v in data:
>   File
> "/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
> line 44, in calculate
>     suglist = [ s for s, _, _ in kdbg.KDBGScan.calculate(self)]
>   File
> "/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
> line 119, in calculate
>     for offset in scanner.scan(aspace):
>   File
> "/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
> line 83, in scan
>     for offset in scan.BaseScanner.scan(self, address_space, offset,
> maxlen):
>   File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py", line
> 136, in scan
>     skip = max(skip, s.skip(data, i))
>   File
> "/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
> line 49, in skip
>     nextval = data.index(self.tag, offset + 1)
> AttributeError: 'NoneType' object has no attribute 'index'
>
> So:
>
> # /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss psscan
>
> Volatile Systems Volatility Framework 2.1_alpha
>  Offset(P)  Name             PID    PPID   PDB        Time created
> Time exited
> ---------- ---------------- ------ ------ ----------
> ------------------------ ------------------------
> No suitable address space mapping found
> Tried to open image as:
>  WindowsHiberFileSpace32: No base Address Space
>  VMWareSnapshotFile: No base Address Space
>  WindowsCrashDumpSpace32: No base Address Space
>  AMD64PagedMemory: No base Address Space
>  JKIA32PagedMemory: No base Address Space
>  JKIA32PagedMemoryPae: No base Address Space
>  IA32PagedMemoryPae: Module disabled
>  IA32PagedMemory: Module disabled
>  WindowsHiberFileSpace32: No xpress signature found
>  WindowsHiberFileSpace32: No xpress signature found
>  VMWareSnapshotFile: ('Header signature invalid', 4026597203)
>  WindowsCrashDumpSpace32: Header signature invalid
>  AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected
>  JKIA32PagedMemory: Failed valid Address Space check
>  JKIA32PagedMemoryPae: Failed valid Address Space check
>  IA32PagedMemoryPae: Module disabled
>  IA32PagedMemory: Module disabled
>  FileAddressSpace: Must be first Address Space
>
> At least it doesn't crash. So now:
>
> # /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
> --profile=Win2008R2SP1x64 psscan
>
> Volatile Systems Volatility Framework 2.1_alpha
>  Offset(P)  Name             PID    PPID   PDB        Time created
> Time exited
> ---------- ---------------- ------ ------ ----------
> ------------------------ ------------------------
> Traceback (most recent call last):
>   File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173, in
> <module>
>     main()
>   File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164, in
> main
>     command.execute()
>   File "/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
> line 101, in execute
>     func(outfd, data)
>   File
> "/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
> line 415, in render_text
>     for eprocess in data:
>   File
> "/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
> line 405, in calculate
>     for offset in PoolScanProcess().scan(address_space):
>   File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py", line
> 218, in scan
>     for i in BaseScanner.scan(self, address_space, offset, maxlen):
>   File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py", line
> 136, in scan
>     skip = max(skip, s.skip(data, i))
>   File
> "/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
> line 49, in skip
>     nextval = data.index(self.tag, offset + 1)
> AttributeError: 'NoneType' object has no attribute 'index'
>
> # /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
> --profile=Win2008R2SP1x64 --dtb=0x187000 psscan
>
> Volatile Systems Volatility Framework 2.1_alpha
>  Offset(P)  Name             PID    PPID   PDB        Time created
> Time exited
> ---------- ---------------- ------ ------ ----------
> ------------------------ ------------------------
> Traceback (most recent call last):
>   File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173, in
> <module>
>     main()
>   File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164, in
> main
>     command.execute()
>   File "/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
> line 101, in execute
>     func(outfd, data)
>   File
> "/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
> line 415, in render_text
>     for eprocess in data:
>   File
> "/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
> line 405, in calculate
>     for offset in PoolScanProcess().scan(address_space):
>   File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py", line
> 218, in scan
>     for i in BaseScanner.scan(self, address_space, offset, maxlen):
>   File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py", line
> 136, in scan
>     skip = max(skip, s.skip(data, i))
>   File
> "/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
> line 49, in skip
>     nextval = data.index(self.tag, offset + 1)
> AttributeError: 'NoneType' object has no attribute 'index'
>
> I have limited testing time the next couple weeks, so will look to see if I
> can share this with someone like SA in the meantime...
>
> Cheers,
>
> Jesse
>
>
> On Fri, Jul 6, 2012 at 7:21 AM, nir izraeli <nirizr@gmail.com> wrote:
>>
>> I assume you need it for something other than test my patch,
>> I can send parts of the vmss of the machine I already noticed more than
>> one region.
>> could you use that to gather the info you need?
>>
>> btw, I'm also using vmware converter standalone pretty often, it might
>> also be related
>>
>>
>> On Fri, Jul 6, 2012 at 5:31 AM, AAron Walters <awalters@4tphi.net> wrote:
>>>
>>>
>>> Nir,
>>>
>>>
>>>> AAron - actually it was quite rare, but the first vmss I used to test
>>>> the patch
>>>> had two or three, which made my patch break when i first tested it on
>>>> other
>>>> VMs.
>>>> I could try to pinpoint it, but i guess it would be easier for me to
>>>> reverse
>>>> the vmware code than try it manually :)
>>>> A thing to note is that that vmss also had two virtual CPUs, which might
>>>> have
>>>> caused having more than one region. it also had ~4G of RAM. most of the
>>>> other
>>>> VMs i used only had about 512M.
>>>> did you try to run it on other vmss files that resemble the one i
>>>> described?
>>>
>>>
>>> Interesting.  I have never seen a vmss with multiple regions. If you
>>> happen to come across one again, please let me know. I'd be interested in
>>> what conditions or what product leads to more than one region.
>>>
>>> Thanks,
>>>
>>> AW
>>
>>
>
>
>
> --
> Jesse Bowling
>
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users@volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>



--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3  64C2 196B 2AB5 27A4 AC92



--
Jesse Bowling





--
Jesse Bowling





--
Jesse Bowling






--
Jesse Bowling